Phase 4 - Documentation: Collecting results

Documentation is an essential part of every penetration test. During the pentest, all steps are thoroughly documented. This ensures that after the test all actions can be reconstructed in detail. At the end of the pentest, this documentation is used as a basis for an individual report, which makes the results of the test comprehensible for the technical administration, as well as the management. The page count of such a report ranges normally in the three digit numbers. The whole report is written by the involved pentesters, to have a direct relation between the documentation and the pentest itself.

Long story short

The report consists of several parts. At the beginning, there is a short management summary, which summarizes on a few pages all important results of the pentest in a precise overview. This report is consciously held nontechnical, to enable everyone without an intricate technical knowledge to get an overview of the risk potential and to develop an objective basis for further decisions.

Details and technical aspects

The second part is a comprehensive technical report with a detailed description of the chronological process of the pentest. This makes the pentest transparent and comprehensible for technically educated people. For every security flaw, an extensive documentation is provided, which precisely describes the technical background of the security hole and how it may be exploited. Additionally, a risk analysis shows the potential risks of the flaw in the context of the network. The third subpart are constructive proposals for solutions to the separate problems, to give some direct ideas for improvement.